Email viruses and spam explained

This might look a little technical, but bear with me, I think you'll find it will pay off if you get to the end - make sure you've got your favourite drink near by...

On Mon, 2004-03-15 at 02:41, one subscriber to a list I read, wrote:

I sent the e-mail address of the mail I got that was trying to put a virus in my works to hotmail.com. Unfortunately I only sent the e-mail address and not the whole message.

The above is but one quote of many seen on this (and other lists) that attempt to deal with email viruses. The approach taken is more than most would have, and I must commend the author for trying, but I have some bad news.

This is a complete waste of time because the account that the message came from is very likely to be made up. Most email viruses theses days do the following things in more or less sophisticated manner:

  • Search for email addresses
  • Generate a new email address that looks plausible - regularly they are based on the email addresses gathered above
  • Send a copy of the virus to each address using one of the generated return addresses

The only way you can detect where the virus comes from is from the headers of the email. I'll include a full header in this message and show you where it shows up. Also note that I've replaced anything that refers directly to me or my email address with "<obfuscated>", because I really get enough spam as it is and I don't really need spam hunters to go through the archive and find more ways of getting spam to me...

Now, the typical email header looks a little like the tangled mess below. It is made visible if you choose "Show Headers" in your email programme - in what ever way it supports that...

Below I'll explain how to read this mess... (For this explanation, I've added an empty line between each email line, otherwise it would look quite overwhelming.)

Received: from localhost ([127.0.0.1]) by <obfuscated> with esmtp (Exim 3.36 #1 (Debian)) id 1AmR99-0007XM-00 for <obfuscated> Fri, 30 Jan 2004 15:54:51 +1030
Received: from hedgehog.highway1.com.au [203.7.224.11] by localhost with POP3 (fetchmail-6.2.4) for <obfuscated> (single-drop); Fri, 30 Jan 2004 15:54:51 +1030 (CST)
Received: from perth.highway1.com.au (ns.highway1.com.au [203.7.224.10]) by hedgehog.highway1.com.au (8.12.10/8.12.10) with ESMTP id i0U5NSWT018710 for <obfuscated> Fri, 30 Jan 2004 13:23:28 +0800 (WST)
Received: from mail4.highway1.com.au (mail4.highway1.com.au [203.7.224.12]) by perth.highway1.com.au (8.12.10/8.12.10) with ESMTP id i0U5NSar020463 for <obfuscated> Fri, 30 Jan 2004 13:23:28 +0800 (WST)
Received: from khe.siemens.de (ppp-225-20-29.friaco.access.uk.tiscali.com [80.225.20.29]) by mail4.highway1.com.au (8.12.10/8.12.10) with ESMTP id i0U5MlAt009055 for <obfuscated> Fri, 30 Jan 2004 13:23:03 +0800 (WST)
Message-Id: <200401300523.i0U5MlAt009055@mail4.highway1.com.au>
From: <obfuscated>
To: <obfuscated>
Subject: Mail Delivery System
Date: Fri, 30 Jan 2004 05:22:10 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0000_0CEED3F8.CB587976"
X-Priority: 3
X-MSMail-Priority: Normal

Let me explain what is happening.

Before we begin, note that lines in the email header start with a word and a colon. The key-words in these headers are: "Received: Message-Id: From: To: Subject: Date: MIME-Version: Content-Type: X-Priority: X-MSMail-Priority:"

The lines we care about are ones marked: "Received:"

You should know that every time an email message is sent to another computer, another "Received:" line (or header as it's normally called) is added to the top of the message.

This means that a new email message has no "Received:" header, and the one that gets to you has at least one, but more likely more of those.

When an email is created, it is sent to a computer on the Internet which adds first "Received:" header (the one closest to the message, or in this example, the one that starts with: "Received: from khe.siemens.de"

Received: from khe.siemens.de (ppp-225-20-29.friaco.access.uk.tiscali.com [80.225.20.29]) by mail4.highway1.com.au (8.12.10/8.12.10) with ESMTP id i0U5MlAt009055 for <obfuscated>; Fri, 30 Jan 2004 13:23:03 +0800 (WST)

When a computer connects to another computer on the net, both computers have an address, (an IP address), and some of them have a name too. The header above is the "smoking-gun" if you like.

The header states (in more or less English) the following information:

At this time, I received an email from a computer that claimed it was called Simon, but was actually called Peter. The message was intended for Onno.

Where:

  • Simon is the Siemens computer.
  • Peter is the Tiscali computer.
  • Onno is the <obfuscated> final recipient of the email.

So using the actual information with the same formatting we get:

On Fri, 30 Jan 2004 at 13:23:03 +0800 (WST) the computer mail4.highway1.com.au received an email from a computer claiming to be "khe.siemens.de", but was actually "ppp-225-20-29.friaco.access.uk.tiscali.com" which has an IP address of "80.225.20.29". The identifier for this message was: "i0U5MlAt009055" and the message was sent to "<obfuscated>"

So, if you're still reading, the challenge lies in that the siemens computer is actually a tiscali computer and the siemens name likely came from the address book of the user of the tiscali computer.

On the face of it, we could generate an email to abuse@tiscali.com and be done with it.

The problem is that while this message was a virus, others that look exactly the same are not. So you cannot generate a virus warning based on such a mismatch alone.

You might well ask: "In what circumstance can we see the same header behaviour where this is perfectly fine?"

My computer sends and receives email. It is connected to the Internet via Optus Satellite. My domain is hosted with Highway1. All email I receive comes to the Highway1 computers, but all email I send leaves via Optus.

If I were to send an email to you directly (not via the list) you'd notice that the last received header (the first one added) shows the same behaviour - one computer claiming to be one thing, but actually being another. (In my case you'd see: latte.internal.itmaze.com.au actually being OptusSatelliteServices.22bjc76f09.optus.net.au or 61.88.171.38.)

So, now that you know how to read the headers of an email, what can you do with it?

If the message you receive is a virus, you can send a polite message to the ISP informing them that it is possible that they have an infected machine on their network and could they please do something about it. (Make sure you give them all the headers, not just a message saying: "You've got an infected machine.")

Note that the above message may attract spam because some ISPs actively gather email addresses and yours just got added to their list.

Another thing you can do with this is see if you can figure out how the message got to you. For example, I have a friend who works with a company called "Ampac", now I know that he is the only one I know with that relationship, so if a virus arrives claiming to be from Ampac, odds-on it's from my friend and not from Ampac.

So, now you're armed with a little more information, you can understand why this email thing is so complicated, why we still have spam and why there are email viruses.

I'm sorry I don't have any more information to impart...

Update There are now some email viruses that fake the first Received Line, this means that the first set of indicators where an email came from might be fake.

The impact of that is that you can no longer determine using the above method where all email, spam or virus, comes from. There are a number of tricks and if I have the inclination, I might add that information here at a future date.

As the saying goes, If you invent a smarter mousetrap, chances are smarter mice will figure out a way to defeat it.